strongSwan

h1. = ipsec

*ipsec* =

'''ipsec''' is actually an umbrella command comprising a collection of individual sub commands of the form

*ipsec _<command>_ '''ipsec ''<command>'' [ _<argument>_ ''<argument>'' ] [ _<options>_ ]* ''<options>'' ]'''

that can be used to control and monitor IPsec connections as well as the IKE daemons.

h2.

== Control Commands

*ipsec ==

'''ipsec start [ _<starter options>_ ]* ''<starter options>'' ]'''
calls [[IpsecStarter|ipsec [wiki:IpsecStarter ipsec starter] [ _<starter options>_ ]] ''<starter options>'' ] which in turn parses
[[IpsecConf|ipsecconf]] [wiki:IpsecConf ipsec.conf] and starts the IKEv1 pluto and IKEv2 charon daemons.

*ipsec stop* '''ipsec stop'''
terminates all IPsec connection and stops the IKEv1 pluto and IKEv2 charon daemons by sending
a _TERM_ ''TERM'' signal to [[IpsecStarter|ipsec starter]]. [wiki:IpsecStarter ipsec starter].

*ipsec '''ipsec restart [ _<starter options>_ ]* ''<starter options>'' ]'''
is equivalent to *ipsec stop* '''ipsec stop''' followed by *ipsec '''ipsec start [ _<starter options>_ ]* ''<starter options>'' ]''' after a
guard period of 2 seconds.

*ipsec update* '''ipsec update'''
sends a _HUP_ ''HUP'' signal to [[IpsecStarter|ipsec starter]] [wiki:IpsecStarter ipsec starter] which in turn determines any changes
in [[IpsecConf|ipsecconf]] [wiki:IpsecConf ipsec.conf] and updates the configuration on the running IKEv1 pluto and IKEv2
charon daemons, correspondingly.

*ipsec reload* '''ipsec reload'''
sends a _USR1_ ''USR1'' signal to [[IpsecStarter|ipsec starter]] [wiki:IpsecStarter ipsec starter] which in turn reloads the
whole configuration on the running IKEv1 pluto and IKEv2 charon daemons based on the actual
[[IpsecConf|ipsecconf]]. [wiki:IpsecConf ipsec.conf].

*ipsec '''ipsec up _<name>_ * ''<name>'' '''
tells the responsible IKE daemon to start up connection _<name>_. ''<name>''. Implemented by calling the
[[IpsecWhack|ipsec [wiki:IpsecWhack ipsec whack] --name _<name>_ ''<name>'' --initiate andor [wikiIpsecStroke and/or [wiki:IpsecStroke ipsec stroke]] stroke]
up _<name>_ ''<name>'' commands.

*ipsec '''ipsec down _<name>_ * ''<name>'' '''
tells the responsible IKE daemon to terminate connection _<name>_. ''<name>''. Implemented by calling the
[[IpsecWhack|ipsec [wiki:IpsecWhack ipsec whack] --name _<name>_ ''<name>'' --terminate andor [wikiIpsecStroke and/or [wiki:IpsecStroke ipsec stroke]] stroke]
down _<name>_ ''<name>'' commands.

*ipsec '''ipsec route _<name>_ * ''<name>'' '''
tells the responsible IKE daemon to insert an [[IpsecPolicy|IPsec policy]] [wiki:IpsecPolicy IPsec policy] in the kernel for
connection _<name>_. ''<name>''. The first payload packet matching the [[IpsecPolicy|IPsec policy]] [wiki:IpsecPolicy IPsec policy]
will automatically trigger an IKE connection setup. Implemented by calling the
[[IpsecWhack|ipsec whack]] [wiki:IpsecWhack ipsec whack] --name _<name>_ ''<name>'' --route and/or
[[IpsecStroke|ipsec stroke]] [wiki:IpsecStroke ipsec stroke] route _<name>_ ''<name>'' commands.

*ipsec '''ipsec unroute _<name>_ * ''<name>'' '''
remove the [[IpsecPolicy|IPsec policy]] [wiki:IpsecPolicy IPsec policy] in the kernel for connection _<name>_. ''<name>''. Implemented
by calling the [[IpsecWhack|ipsec whack]] [wiki:IpsecWhack ipsec whack] --name _<name>_ ''<name>'' --unroute and/or
[[IpsecStroke|ipsec stroke]] [wiki:IpsecStroke ipsec stroke] unroute _<name>_ ''<name>'' commands.

*ipsec '''ipsec status [ _<name>_ ''<name>'' ] * '''
returns concise status information either on connection _<name>_ ''<name>'' or if the argument is lacking,
on all connections. Implemented by calling the [[IpsecWhack|ipsec [wiki:IpsecWhack ipsec whack] [ --name _<name>_ ]] ''<name>'' ]
--status and/or [[IpsecStroke|ipsec [wiki:IpsecStroke ipsec stroke] status [ _<name>_ ]] ''<name>'' ] commands.

*ipsec '''ipsec statusall [ _<name>_ ''<name>'' ] * '''
returns detailed status information either on connection _<name>_ ''<name>'' or if the argument is lacking,
on all connections. Implemented by calling the [[IpsecWhack|ipsec [wiki:IpsecWhack ipsec whack] [ --name _<name>_ ]] ''<name>'' ]
statusall and/or [[IpsecStroke|ipsec [wiki:IpsecStroke ipsec stroke] statusall [ _<name>_ ]] ''<name>'' ] commands.

h2.

== Info Commands

*ipsec version* ==

'''ipsec version'''
returns the ipsec version in the form of *Linux '''Linux strongSwan
U_*<strongSwan U'''''<strongSwan userland version>_*/K_*<Linux version>'''''/K'''''<Linux kernel version>_ version>''
if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.


*ipsec copyright* '''ipsec copyright'''
returns the copyright information.

*ipsec --confdir* '''ipsec --confdir'''
returns the _SYSCONFDIR_ ''SYSCONFDIR'' directory as defined by the [[InstallationDocumentation|configure]] [wiki:InstallationDocumentation ./configure]
options.

*ipsec --directory* '''ipsec --directory'''
returns the _LIBEXECDIR_ ''LIBEXECDIR'' directory as defined by the [[InstallationDocumentation|configure]] [wiki:InstallationDocumentation ./configure]
options.

*ipsec --help* '''ipsec --help'''
returns the usage information for the ipsec command.

*ipsec --versioncode* '''ipsec --versioncode'''
returns the ipsec version number in the form of
*'U_*<strongSwan ''''U'''''<strongSwan userland version>_*/K_*<Linux version>'''''/K'''''<Linux kernel version>_ version>''
if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is running on.

h2.

== List Commands

*ipsec ==

'''ipsec listaacerts [ --utc ]* ]'''
returns a list of X.509 Authorization Authority (AA) certificates that were loaded locally by
the IKE daemon from the [[IpsecDirectoryAacerts|etcipsecdaacerts]] [wiki:IpsecDirectoryAacerts /etc/ipsec.d/aacerts/] directory.
Implemented by calling the [[IpsecWhack|ipsec whack]] [wiki:IpsecWhack ipsec whack] --listaacerts and/or
[[IpsecStroke|ipsec stroke]] [wiki:IpsecStroke ipsec stroke] listaacerts commands.

*ipsec '''ipsec listacerts [ --utc ]* ]'''
returns a list of X.509 Attribute certificates that were loaded locally by the IKE daemon from the
[[IpsecDirectoryAcerts|etcipsecdacerts]] [wiki:IpsecDirectoryAcerts /etc/ipsec.d/acerts/] directory. Implemented by calling the
[[IpsecWhack|ipsec [wiki:IpsecWhack ipsec whack] --listacerts andor [wikiIpsecStroke and/or [wiki:IpsecStroke ipsec stroke]] stroke] listacerts
commands.

*ipsec listalgs* '''ipsec listalgs'''
returns a list of all supported IKE encryption and hash algorithms, the available Diffie-Hellman
groups, as well as all ESP encryption and authentication algorithms registered via the Linux
kernel's Crypto API. Supported by the IKEv1 pluto daemon only. Implemented by calling the
[[IpsecWhack|ipsec whack]] [wiki:IpsecWhack ipsec whack] --listalgs command.

*ipsec '''ipsec listcacerts [ --utc ]* ]'''
returns a list of X.509 Certification Authority (CA) certificates that were loaded locally by
the IKE daemon from the [[IpsecDirectoryCacerts|etcipsecdcacerts]] [wiki:IpsecDirectoryCacerts /etc/ipsec.d/cacerts/] directory or received
in PKCS#7-wrapped certificate payloads via the IKE protocol. Implemented by calling the
[[IpsecWhack|ipsec [wiki:IpsecWhack ipsec whack] --listcacerts andor [wikiIpsecStroke and/or [wiki:IpsecStroke ipsec stroke]] stroke] listcacerts
commands.

*ipsec '''ipsec listcainfos [ --utc ]* ]'''
returns Certification Authority information (CRL distribution points, OCSP URIs, LDAP servers)
that were defined by [[CaSection|ca [wiki:CaSection ca sections] in [wikiIpsecConf ipsecconf]]. [wiki:IpsecConf ipsec.conf]. Implemented
by calling the [[IpsecWhack|ipsec [wiki:IpsecWhack ipsec whack] --listcainfos andor [wikiIpsecStroke and/or [wiki:IpsecStroke ipsec stroke]] stroke]
listcainfos commands.

*ipsec '''ipsec listcards [ --utc ]* ]'''
lists all certificates found on attached smart cards. Supported by the IKEv1 pluto daemon only.
Implemented by calling the [[IpsecWhack|ipsec whack]] [wiki:IpsecWhack ipsec whack] --listcards command.

*ipsec '''ipsec listcrls [ --utc ]* ]'''
returns a list of Certificate Revocation Lists (CRLs) that were either loaded by the IKE daemon
from the [[IpsecDirectoryCrls|etcipsecdcrls]] [wiki:IpsecDirectoryCrls /etc/ipsec.d/crls/] directory or fetched from an HTTP- or
LDAP-based CRL distribution point. Implemented by calling the [[IpsecWhack|ipsec whack]] [wiki:IpsecWhack ipsec whack]
--listcrls and/or wiki:IpsecStroke ipsec stroke] listcrls commands.

*ipsec '''ipsec listcerts [ --utc ]* ]'''
returns a list of X.509 and|or [[OpenPGP]] OpenPGP certificates that were either loaded locally by the IKE
daemon or received via the IKEv2 protocol. Implemented by calling the [[IpsecWhack|ipsec whack]] [wiki:IpsecWhack ipsec whack]
--listcerts and/or [[IpsecStroke|ipsec stroke]] [wiki:IpsecStroke ipsec stroke] listcerts commands.

*ipsec '''ipsec listgroups [ --utc ]* ]'''
returns a list of all groups that are used to define user authorization profiles. Supported by
the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] [wiki:IpsecWhack ipsec whack] --listgroups
command.

*ipsec '''ipsec listocsp [ --utc ]* ]'''
returns cached revocation information fetched from OCSP servers. Implemented by calling the
[[IpsecWhack|ipsec [wiki:IpsecWhack ipsec whack] --listocps andor [wikiIpsecStroke and/or [wiki:IpsecStroke ipsec stroke]] stroke] listocsp commands.

*ipsec '''ipsec listocspcerts [ --utc ]* ]'''
returns a list of X.509 OCSP Signer certificates that were either loaded locally by the IKE
daemon from the [[IpsecDirectoryOcspcerts|etcipsecdocspcerts]] [wiki:IpsecDirectoryOcspcerts /etc/ipsec.d/ocspcerts/] directory or were sent
by an OCSP server. Implemented by calling the [[IpsecWhack|ipsec whack]] [wiki:IpsecWhack ipsec whack] --listocspcerts
and/or [[IpsecStroke|ipsec stroke]] [wiki:IpsecStroke ipsec stroke] listocspcerts commands.

*ipsec '''ipsec listpubkeys [ --utc ]* ]'''
returns a list of RSA public keys that were either loaded in raw key format or extracted
from X.509 and|or [[OpenPGP]] OpenPGP certificates. Supported by the IKEv1 pluto daemon only. Implemented
by calling the [[IpsecWhack|ipsec whack]] [wiki:IpsecWhack ipsec whack] --listpubkeys command.

*ipsec '''ipsec listall [ --utc ]* ]'''
returns all information generated by the list commands above. Each list command can be called
with the _--url_ ''--url'' option which displays all dates in UTC instead of local time. Implemented by
calling the [[IpsecWhack|ipsec [wiki:IpsecWhack ipsec whack] --listall andor [wikiIpsecStroke and/or [wiki:IpsecStroke ipsec stroke]] stroke]
listall commands.

h2.

== Reread Commands

*ipsec rereadaacerts* ==

'''ipsec rereadaacerts'''
reads all certificate files contained in the [[IpsecDirectoryAacerts|etcipsecdaacerts]] [wiki:IpsecDirectoryAacerts /etc/ipsec.d/aacerts/]
directory and adds them to the list of Authorization Authority (AA) certificates. Implemented
by calling the [[IpsecWhack|ipsec whack]] [wiki:IpsecWhack ipsec whack] --readaacerts and/or
[[IpsecStroke|ipsec stroke]] [wiki:IpsecStroke ipsec stroke] rereadaacerts commands.

*ipsec rereadacerts* '''ipsec rereadacerts'''
reads all certificate files contained in the [[IpsecDirectoryAcerts|etcipsecdacerts]] [wiki:IpsecDirectoryAcerts /etc/ipsec.d/acerts/]
directory and adds them to the list of attribute certificates. Implemented by calling the
[[IpsecWhack|ipsec [wiki:IpsecWhack ipsec whack] --rereadacerts andor [wikiIpsecStroke and/or [wiki:IpsecStroke ipsec stroke]] stroke]
rereadacerts commands.

*ipsec rereadcacerts* '''ipsec rereadcacerts'''
reads all certificate files contained in the [[IpsecDirectoryCacerts|etcipsecdcacerts]] [wiki:IpsecDirectoryCacerts /etc/ipsec.d/cacerts/]
directory and adds them to the list of Certification Authority (CA) certificates. Implemented
by calling the [[IpsecWhack|ipsec whack]] [wiki:IpsecWhack ipsec whack] --rereadcacerts and/or
[[IpsecStroke|ipsec stroke]] [wiki:IpsecStroke ipsec stroke] rereadcacerts commands.

*ipsec rereadcrls* '''ipsec rereadcrls'''
reads all Certificate Revocation Lists (CRLs) contained in the
[[IpsecDirectoryCrls|etcipsecdcrls]] [wiki:IpsecDirectoryCrls /etc/ipsec.d/crls/] directory and adds them to the list of CRLs.
Older CRLs are replaced by newer ones. Implemented by calling the [[IpsecWhack|ipsec whack]] [wiki:IpsecWhack ipsec whack]
--rereadcrls and/or [[IpsecStroke|ipsec stroke]] [wiki:IpsecStroke ipsec stroke] rereadcrls commands.

*ipsec rereadocspcerts* '''ipsec rereadocspcerts'''
reads all certificate files contained in the
[[IpsecDirectoryOcspcerts|etcipsecdocspcerts]] [wiki:IpsecDirectoryOcspcerts /etc/ipsec.d/ocspcerts/] directory and adds them to the list
of OCSP signer certificates. Implemented by calling the [[IpsecWhack|ipsec whack]] [wiki:IpsecWhack ipsec whack]
--rereadocspcerts and/or [[IpsecStroke|ipsec stroke]] [wiki:IpsecStroke ipsec stroke] rereadocspcerts commands.

*ipsec rereadsecrets* '''ipsec rereadsecrets'''
flushes and rereads all secrets defined in [[IpsecSecrets|ipsecsecrets]]. [wiki:IpsecSecrets ipsec.secrets].
Implemented by calling the [[IpsecWhack|ipsec whack]] [wiki:IpsecWhack ipsec whack] --rereadsecrets and/or
[[IpsecStroke|ipsec stroke]] [wiki:IpsecStroke ipsec stroke] rereadsecrets commands.

*ipsec secrets* '''ipsec secrets'''
is equivalent to *ipsec rereadsecrets*. '''ipsec rereadsecrets'''.

*ipsec rereadall* '''ipsec rereadall'''
executes all reread commands listed above. Implemented by calling the
[[IpsecWhack|ipsec whack]] [wiki:IpsecWhack ipsec whack] --rereadall and/or
[[IpsecStroke|ipsec stroke]] [wiki:IpsecStroke ipsec stroke] rereadall commands.

h2.

== Purge Commands

*ipsec purgeocsp* ==

'''ipsec purgeocsp'''
purges all cached OCSP information records. Implemented by calling the
[[IpsecWhack|ipsec whack]] [wiki:IpsecWhack ipsec whack] --purgeocsp and/or
[[IpsecStroke|ipsec stroke]] [wiki:IpsecStroke ipsec stroke] purgeocsp commands.

h2.

== PKCS11 Proxy Commands

*ipsec ==

'''ipsec scencrypt _<value>_ ''<value>'' [ --inbase _<base>_ ''<base>'' ] [ --outbase _<base>_ ''<base>'' ] [ --keyid _<id>_ ]* ''<id>'' ]'''
Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] [wiki:IpsecWhack ipsec whack]
--scencrypt command.

*ipsec '''ipsec scdecrypt _<value>_ ''<value>'' [ --inbase <base> ] [ --outbase _<base>_ ''<base>'' ] [ --keyid _<id>_ ]* ''<id>'' ]'''
Supported by the IKEv1 pluto daemon only. Implemented by calling the [[IpsecWhack|ipsec whack]] [wiki:IpsecWhack ipsec whack]
--scdecrypt command.